Increase NFTables rule matching speed
20 views
Skip to first unread message
Ben Grande
Jun 5, 2024, 12:33:49 PMJun 5
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello qubes-devel,
Is it worth it looking into improving QubesOS NFTables rule matching
speed? In order of speed: `if` > `ifgroup` > `ifname` (output and
input). Qubes uses a mix of them. Should work regarding changing the
rules to have a faster matching be worth it?
Some rules matching 'iifname "vif*"' could be changed to 'iifgroup 2'.
Rules of a netvm:
$ sudo nft -s list ruleset | grep iif
iifgroup 2 goto antispoof
iifname . ip saddr @allowed accept
iifgroup 2 udp dport 68 counter drop
iifgroup 2 meta l4proto icmp accept
iif "lo" accept
iifgroup 2 counter reject with icmp host-prohibited
iifname . ip6 saddr @allowed accept
iifgroup 2 goto antispoof
iifgroup 2 goto _icmpv6
iif "lo" accept
iifname != "vif*" accept
iifname != "vif*" ip saddr { 10.137.0.67, 10.137.0.90, 10.138.35.169, 10.138.38.234 } drop
iifname != "vif*" accept
meta l4proto { tcp, udp } iifgroup 2 oifgroup 1 flow add @qubes-accel
- --
Benjamin Grande
-----BEGIN PGP SIGNATURE-----
iHUEARYIAB0WIQRklnEdsUUe50UmvUUbcxS/DMyWhwUCZmCTSAAKCRAbcxS/DMyW
h8zNAP0TQc1GEYoZna1VrkQhQ8e1x3VIZRGey3QL0J+h9mHGewEA1glVYs3EN5i2
CNR8XDWsx8Pd0I4Ms/m9T00AbQxzYAE=
=bfmt
-----END PGP SIGNATURE-----
Hash: SHA256
Hello qubes-devel,
Is it worth it looking into improving QubesOS NFTables rule matching
speed? In order of speed: `if` > `ifgroup` > `ifname` (output and
input). Qubes uses a mix of them. Should work regarding changing the
rules to have a faster matching be worth it?
Some rules matching 'iifname "vif*"' could be changed to 'iifgroup 2'.
Rules of a netvm:
$ sudo nft -s list ruleset | grep iif
iifgroup 2 goto antispoof
iifname . ip saddr @allowed accept
iifgroup 2 udp dport 68 counter drop
iifgroup 2 meta l4proto icmp accept
iif "lo" accept
iifgroup 2 counter reject with icmp host-prohibited
iifname . ip6 saddr @allowed accept
iifgroup 2 goto antispoof
iifgroup 2 goto _icmpv6
iif "lo" accept
iifname != "vif*" accept
iifname != "vif*" ip saddr { 10.137.0.67, 10.137.0.90, 10.138.35.169, 10.138.38.234 } drop
iifname != "vif*" accept
meta l4proto { tcp, udp } iifgroup 2 oifgroup 1 flow add @qubes-accel
- --
Benjamin Grande
-----BEGIN PGP SIGNATURE-----
iHUEARYIAB0WIQRklnEdsUUe50UmvUUbcxS/DMyWhwUCZmCTSAAKCRAbcxS/DMyW
h8zNAP0TQc1GEYoZna1VrkQhQ8e1x3VIZRGey3QL0J+h9mHGewEA1glVYs3EN5i2
CNR8XDWsx8Pd0I4Ms/m9T00AbQxzYAE=
=bfmt
-----END PGP SIGNATURE-----
Marek Marczykowski-Górecki
Jun 5, 2024, 12:36:30 PMJun 5
to Ben Grande, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hash: SHA256
On Wed, Jun 05, 2024 at 06:33:42PM +0200, Ben Grande wrote:
> Hello qubes-devel,
>
> Is it worth it looking into improving QubesOS NFTables rule matching
> speed? In order of speed: `if` > `ifgroup` > `ifname` (output and
> input). Qubes uses a mix of them. Should work regarding changing the
> rules to have a faster matching be worth it?
>
> Some rules matching 'iifname "vif*"' could be changed to 'iifgroup 2'.
>
> Rules of a netvm:
>
> $ sudo nft -s list ruleset | grep iif
>
> iifgroup 2 goto antispoof
> iifname . ip saddr @allowed accept
> iifgroup 2 udp dport 68 counter drop
> iifgroup 2 meta l4proto icmp accept
> iif "lo" accept
> iifgroup 2 counter reject with icmp host-prohibited
> iifname . ip6 saddr @allowed accept
> iifgroup 2 goto antispoof
> iifgroup 2 goto _icmpv6
> iif "lo" accept
> iifname != "vif*" accept
> iifname != "vif*" ip saddr { 10.137.0.67, 10.137.0.90, 10.138.35.169, 10.138.38.234 } drop
> iifname != "vif*" accept
> meta l4proto { tcp, udp } iifgroup 2 oifgroup 1 flow add @qubes-accel
Take a look at the "Firewall antispoofing in ingress hook" thread, it
> Hello qubes-devel,
>
> Is it worth it looking into improving QubesOS NFTables rule matching
> speed? In order of speed: `if` > `ifgroup` > `ifname` (output and
> input). Qubes uses a mix of them. Should work regarding changing the
> rules to have a faster matching be worth it?
>
> Some rules matching 'iifname "vif*"' could be changed to 'iifgroup 2'.
>
> Rules of a netvm:
>
> $ sudo nft -s list ruleset | grep iif
>
> iifgroup 2 goto antispoof
> iifname . ip saddr @allowed accept
> iifgroup 2 udp dport 68 counter drop
> iifgroup 2 meta l4proto icmp accept
> iif "lo" accept
> iifgroup 2 counter reject with icmp host-prohibited
> iifname . ip6 saddr @allowed accept
> iifgroup 2 goto antispoof
> iifgroup 2 goto _icmpv6
> iif "lo" accept
> iifname != "vif*" accept
> iifname != "vif*" ip saddr { 10.137.0.67, 10.137.0.90, 10.138.35.169, 10.138.38.234 } drop
> iifname != "vif*" accept
> meta l4proto { tcp, udp } iifgroup 2 oifgroup 1 flow add @qubes-accel
goes even further for some parts.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmZglAYACgkQ24/THMrX
1yzlSQf/aQc8SkF4Ijy3Jz300HNdMvQbmKufzh4qSokRKWbySRJgVOtDWhMNMDCG
h8QMExbgLJm8/sUIJvmhjACCyTsV76UGbpgA8RST7gxXTrK+7yJTZ8rCuUNhZXpU
+VFHRZun/agBMK/WiVW8IrksBz80oQ48XGU/IexQaLCS9meQrm+ydEn0E72hHA3u
osNxwKZoLjDkq7An+a74er/vgCdKFRp7rQWupsq7gPyI+eBa3CMMumMlSZSHSDhB
T1pd5ykzTIREZUO7GBQ+rZPjgSlBU1EaQm2UNlXKVSukBtQqzj6U8pp01ebFs/PH
p92Lj179p2jB3Z+XDEodhtsyiUekxw==
=SyDH
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages